A strand of new ransomware is discovered to be deployed to attack SonicWall SMA 100 Series VPN appliances. The experts called it "FiveHands" which has a wide range of targets across Europe and North America.
According to the Mandiant security analysts, the group behind the attack is the UNC2447, which is an expert in starting data and network breaches in the system.
They also said that it is the group responsible for the deployment of "FiveHands" ransomware. It happened before the launch of the patches later in February.
Group's Operation Targets SonicWall
UNC2447 is not new to certain exploitations of systems. Before they spread ransomware payloads, the group was spotted to be on the lookout for more deployments upon having full control of Cobalt Strike implants.
Another malware called the SombRAT backdoor has been involved in his notorious gang of hackers during the CostaRicto campaign, the BlackBerry blog wrote.
In January, several zero-day attacks have also hit the internal systems of SonicWall. In the same month, the 100 zero-day vulnerabilities have become more exploitable in the wild, as per the NCC Group.
FiveHands Ransomware Has Resemblance to HelloKitty Ransomware
Last October 2020, UNC2447 launched its attack in the wild by deploying the FiveHands ransomware. Moreover, the malware shared striking similarities with the HelloKitty ransomware, which caused delays in the "Cyberpunk 2077" 1.2 patch.
The said ransomware has been a serious headache for CD Projekt Red, the video game publisher of "Cyberpunk." The developer said that the source code of the game has been stolen by the hackers.
Other games involved in the attacks are the "Witcher 3" and its unreleased version, and "Gwent."
Besides SonicWall and CD Projekt Red, the Companhia Energética de Minas Gerais, a large corporation in Brazil, has also become the victim of the hackers' operation.
Diving deeper, Mandiant said that by January, the activity of the crew behind the HelloKitty ransomware has gradually decreased. However, this only brought FiveHands to emerge on the exploitations that continue up to these days.
"Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVE HANDS since approximately January 2021," the threat analysts said.
Often described as identical malware, both FiveHands and HelloKitty have the same features and coding. Earlier this April, Mandiant also discovered that the HelloKitty favicon is linked to the FiveHands ransomware on Tor.
On Thursday, Apr. 27, Bleeping Computer reported that a new ransomware attack has struck Whistler resort municipality using the same site on Tor. At the moment, it is not yet discovered if the attack is connected to FiveHands exploitation.
Compared to DeathRansom and HelloKitty, what makes FiveHands special ransomware is its extra functionality. It can manipulate a current file through Windows Restart Manager, and later sealing and encrypting it.
This article is owned by Tech Times
Written by Joseph Henry